 Well, thank you for coming to this afternoon's session. I would like to introduce our next speaker, Karsten Schumann, sorry, Schumann, Schumann, I apologize, who's a professor of computer science at IT University at Copenhagen. He has 10 years of experience conducting research in elections. He's an expert in election security, has written over 60 academic papers, contributed in books, and hacked at DEF CON 2017, the win voting machine, shortly after the voting machine voting village opened. There we go, that's an odd sentence. He is a member of the computer science faculty at IT University at Copenhagen and leads the Center for Information Security Research. He has worked with the Carter-Saharie US Council of Europe, the Venice Commission, and the Air National IDEA in Sweden. So thank you very much. Thank you. If I would have known that you read all of it, I would have shortened it. Okay, so thank you very much for coming. Somehow the power is not plugged in. I don't know, I hope I can survive all the way. So, microphone. Okay, so, should I just take it like this? Okay, let me take it like this. So I don't know why it flickers, but. Okay, so I'm the one, last DEF CON, who kind of looked at the win vote voting machine and I hacked it and I'm trying to do the same thing again here. So that is the win vote voting machine from last year and I brought a copy. But before I start, let me kind of take a much broader way on elections and I'm actually gonna have pretty much the same conclusion as Alex just before me, but I am coming on a different way. So the Declaration of Human Rights actually kind of mandates that we all have, genuine elections because it says the will of the people shall be on the basis of the authority of government and this shall be expressed in periodic and genuine elections, which shall be by universal and equal suffrage and shall be held by secret vote or equivalent free voting procedures. So the equivalent free voting procedures is there because of our friends from Switzerland who are still up to today standing on the marketplace and raising their hands. Okay, so this is why it looks like this, but the emphasis is really on genuine. And in Europe, there's many countries that use paper ballots, okay? People make X on a piece of paper and then other people are counting it. Actually, they're counting it not only once, they're two different groups of people counting it so that you have a lot of assurance that it's correct. Now in the US, there's a lot of technology in the game and so the question really is, what kind of problem can you get with technology and I think we all know the answer, but there's actually only half of the answer that we are always talking about because we always talk about cyber attacks and you know, can you attack this thing? Can you change the votes? But that's actually, that's only half of the truth because the other half is the alleged cyber attacks that people, opposition members are coming and say like, listen, a cyber, you can't trust the result because there was a cyber attack, but there wasn't really one. So in both cases, if there is a cyber attack or an alleged cyber attack, the result is the same. There's a lot of bad stories in the news and people start losing trust. And so I have exactly the same picture that Alex had from verified voting. That's the current state of the use of technology in the United States. And you can see there are many states that are actually using technology. Some are using paper ballots, but many are using technology and there are five states that stick out and it's exactly the same states that Alex mentioned. It's Louisiana, it's Georgia, it's South Carolina, Delaware and New Jersey because those five states have these voting machines that do not produce a paper trail. So you cannot check retroactively if the machine was hacked or not. And when somebody claims that there was a cyber attack, you can't disprove that claim either. That is really, really problematic. So let me go and start with the VinVote voting machine. And it's here, that's how it looks, but I'm just gonna hack it remotely. And the nice thing about the VinVote voting machine for hackers is that you don't have to actually put in a USB stick or a smart card, but it always has Wi-Fi on. And so let's kind of just look at it for a little while, how we do this, okay? Up here in the corner, there should be, and of course, I gave the same talk at Black Hat and also there, it didn't really work. There should be, why isn't it there? Machine, it should be ST something. Okay, let's try. I've just checked it's sitting over there and it was there, okay? Maybe I have to knock on it. How can I hack it if it's not even online? Oh no, here it is, see? You just have to knock it. It's the ST, okay? This is a, it's a, I mind, all of Virginia was using these machines from 2004 to 2014 for one Bush and two Obama elections. Okay, so here's the password. It's A, B, C, D, E, of course, what else could it be? But it's a typical example, B, C, D, E, and we are connected. So any one of you can also connect to this machine if you want. And so now I'm connected with my laptop, okay? So the next thing I would like to do is I would like to hack it, of course. And for this I have Kali, okay? And let's just type in password is root, just in case you want to hack it, I'll just tell you. Okay, and it's a completely fresh thing. So if everything, there should be a directory CD, like I did not go into this directory. And there's something called demo which actually sets everything up. And if everything goes well, in just a minute, we actually have the prompt for the Windows, for the XP Windows machine here. And we can then actually start executing code. We can kind of do all kinds of damage, okay? So now it's time to exploit. And here it is, okay? Can you see that says Windows, I mean, everyone obviously, I became very famous because I did this, but I actually didn't do very much because I'm not really a hacker. All you have to do is Kali Linux gives you, hey, try this as heck, and you say, do it, and then you're in, right? How interesting is this? So let me kind of try to make this bigger. How do you make this bigger? Okay, I'm sorry, I can't make it bigger. And now also, okay, what did I do? Okay, but you see Windows XP, all right? So yeah, because I don't have so much time, I could now go through the directories and look at all of this stuff, but that's actually the rest of my talk. So the point is, these machines were in use, and you could have executed shell code, any kind of shell code that you wanted, from 2003 to 2014. This machine ran Windows, or ran, it's decommissioned, very good. It ran Windows XP, service pack zero, has never been updated, and this is why these vulnerabilities all exist. It's never been updated because it had to be certified to be used, okay? And there were about 4,000 units were deployed. I have one here. They have a small disk and a large disk, okay? Have a range of open ports which really sets it up for hacking, I mean, really. It's the easiest hack that you can do, and you can really execute any kind of code on that machine. There has been a security analysis by the Virginia Information Technology Agency in 2015 where they looked at it and said like, this is a piece of junk, we can't use this anymore. And then it was actually decommissioned. And because of the hack from DEF CON last year, actually, the state of Virginia decided to change the laws and disallowed any machine that doesn't produce a paper trail. So that's definitely a very, very good idea, okay? So, since in the last year, I said like, okay, can we figure out if somebody actually did something in the last eight years? Well, that would be the next natural question to ask, right? Did somebody actually hack that thing? And because I know Kali, I tried to kind of put Kali on the voting machine. I thought it was a nice picture, but it was actually more, it didn't really work. And at the end, what I've actually done is I kind of took out the disks. These are two SSD disks. And I kind of did forensic images on them and then kind of studied the forensic images. Now, it's a comparative forensic analysis because looking for irregularities, it's like looking for a needle in a haystack, except that you don't really know what the needle looks like and you don't know that you don't actually have the whole haystack. I mean, it's actually kind of, it's a ridiculously hard exercise, okay? And there's a lot of things that we found and I call this irregularities because it's without any interpretation of if it's malicious or maybe there are good explanations why this is, but I did not hunt for explanation for what I've seen. I've only observed things. Okay, so we use autopsy for it. And autopsy is the go-to tool for forensic analysis and then people start with that and then usually dig deeper. But for me, my point is just this is not good evidence. A machine like this, you don't get any evidence. You don't understand enough and autopsy can already give this, okay? We didn't have any memory dumps, okay? We don't even know who connected wirelessly to this machine. So that was my hope. There should be some log files and says like on election day like 17 people actually connected to this. There's actually a report from early users of the machine in Virginia where people complained that the machine was turning off while they were using it. The question is, did it turn off because a hacker turned it off? Like I could turn off this machine or is it because, yeah, there was a bug in the program. But we had access to these log files and these SSD drives and so I asked eight of my friends who also got one of those or I asked 20 of my friends and eight actually replied, can I have your disks? And they gave me their disks. And so big thanks to Lyle, to Joshua, to Noel, to Philip, to lots of people who kind of had the guts to unscrew the bottom of the thing, and rip out the disks. Some actually mailed it to me from the US and then I ripped it and I put it back. So what did we find? Okay, forensic, okay, that's pretty clear. We wanted to kind of understand what is the needle. We don't know exactly what the needle looks like but we wanted to know somebody exploited vulnerabilities that somebody installed root kids, malware, where the machines used for other purposes. Alex who just spoke actually showed how to run Pac-Man on one of those machines. The native machines was shown to be a good chess computer by Rob Gong drive many years ago or did anyone mock with the binaries? So here's some kind of things. So I just start off this thing and it says in the documents, recent documents folder. So it's like from 2004, there's a file which I name, I cannot really read because it has some Chinese characters in it but it is actually a link to an MPEG-3 file. So I said like, oh MPEG-3 file sounds interesting. So I Googled it and I just want you to hear it. So there is traces on these voting machines of MPEG-3 files that sound like this. And I said like, that's weird, okay. That should not be. That should not be, that's weird. Okay, then I actually did a little bit more and you actually find traces of CD-ripping software. So somebody, and I mean I just looked at my machine and it looked like my machine was used through RIP CDs. And there's actually a software to broadcast MPEG-3s which is called Wingsofts, which you can still find. Just have to type it in. And that was actually used to, that's really weird to click on it and says like skin file not found. Okay, somebody deleted the skin file. But then at the beginning I said like, oh my goodness, I found something. Somebody used my voting machine for MPEG-3 hacking. It's actually not entirely true because I have eight machines and four of them have the same files. So all of those files are on four of the machines. So that means there was a dirty image that somebody at this company who produced it must have ripped CDs with the good image and then it was distributed over all of the machines. So then I said like, this is like entertaining. Okay, fine, let's just believe that this was not used for hacking. But this is still strange. So I actually went to some more serious stuff and I went through all of the dates where there was major November elections in the United States and that's how it looks like, right? So you have, there's a timeline feature in autopsy. It's a fantastic tool actually to kind of do some analysis and all of the events actually are summarized. So that is for November 6th, 2012, the presidential election where Obama was re-elected and you can see like, this green stuff means somebody has inserted USB sticks or something else which is also normal because these machines actually have a USB stick which is not where the results are recorded. Who knows what happens during the day and then at the end, you know everything's fine. So I went through all of these files and this all looks kind of, it looks reasonable, right? Looks reasonable. So that catches the vote register. These ones did some updates to the database and at the end all of the files were printed or created, the report files and were zipped up. So that made sense. Then I said like, let's look at 2013. And in 2013, there's something really strange because so I have eight machines and seven machines were used in the gubernatorial election in 2013. And on one of the machines, after polling day opened, before the polling day closed, 60 files in the window system directory were marked as of a flagged as modified. And so I said, even the cmd.exe file and even the winvote.exe file is also flagged as modified. I said like, what the hell is this, right? I have no good interpretation for it. But what I could see is that in this machine, somebody inserted some USB device. It actually says a root hub. I don't know exactly what it is. And inserted it into the machine and then that triggered a bunch of changes to the system's file directory. I have no idea why, I don't know anything. I checked at the end the current versions of cmd.exe and winvote, they are actually all the same across all of the machines but their remark is modified. That's really strange, okay. So I put all of these findings like in one table. There are many more little things, right? But maybe let me just, the last one to comment on is the gubernatorial election from 2005. Because I have eight machines, only five of those machines were used during that election. And three of these machines tried to dial out on their modem line. And one machine dialed the wrong number and didn't get the dial tone. And the other two machines that were successfully and connected someplace with the dial tone. So data was exchanged on those machines. You know exactly what time. It's actually very funny. These machines were decommissioned and they were given to me to Denmark but all of the data is intact, right? Nobody wiped this, that's also kind of funny. Okay, so here and then we have this, most of those things actually look completely fine, right? Harmless, except the last one. But you can actually, I have these, I have the images here, they're on this laptop. So if anyone is interested in forensics, I am happy to share them in the voting village and kind of look for more stuff. So what do we learn from all of this? Now I come to the part that actually is very, very close to also what Alex said. We need evidence, right? Because what kind of evidence do you really prefer? This Discord module, this is actually a picture of the drives. These are SSD drives from 2002. They must have been very, very expensive. Or paper, what is better evidence? And so the, you know, I'm not sure if I definitely did not convince you, I hope at least, that this was the best machine ever made, okay? So you can't hack it. But I think that's much, much better is actually having paper. And so you can do this risk limiting audit. And you know, because Colorado is really leading in the implementation of these post-election audits, here's just an example of how such an audit actually would work. So during the 2016 election, where this machine was not used, okay? So the difference between Donald J. Trump and Hillary Clinton was about 130,000 votes. Okay, so that is the announced election result. And so if that is the wrong result, somebody must have tempered with at least 130,000 votes. And so the statistical arguments goes, can you look at the paper trail and draw a random sample to find evidence that this tampering has actually taken place? And if you can, then the risk limiting audit method will actually auto correct and say like, you know, now you have to look at a bigger sample. Or at the very end, it says like, you have to do a full recount. And that's exactly what you want, right? If you can't trust the evidence, you have to recount everything. It's actually the perfect procedure. And as long as the margins are wide, like here, 130,000, you can actually kind of get away with very small sample sizes. Okay, so the sample here that you have to pick is 142 ballots for that particular race, the presidential race 2016 in Colorado. And that is not precincts, that's not ballot boxes. You have to just draw 142 ballots, but they have to be truly random. And in order to kind of get something which is truly random, and I can't believe it, I'm a computer scientist, you have to use those 10-sided dice. These 10-sided dice are actually from Ron Revest, I assume. And that's an election official, maybe the election official in Colorado actually kicking off the audit for the 2016 election. Yes, the state of risk-living audits, or any kind of auditing, is not as good as it could be. Because the darker, the better. In many states, so Louisiana, Georgia, South Carolina, and those states up there, Delaware and New Jersey, they can't audit anything because they have no paper. The only thing you can do there is actually kind of check these machines. And that is kind of very worrisome. And again, for me, a risk-living audit actually serves two purposes. Number one, it shows that a cyber attack, if it happened, had no influence on the election result. And number two is, if there was an alleged cyber attack, it also did not have any effect on the election result. And so this is why a risk-living audit is actually a confidence-building methodology, and it's actually quite good. So I have only one conclusion for my talk. Use paper and do your audits. And I'm not sure how many election officials are here, but I think really this is an important message. I think it's exactly the same as such that Alex has just sent, and I'll just double up on him. Thank you. So the question was, if you have a secure connection between different devices and to some kind of central server and all of the connections, everything is kind of safe. So we have to think about who is the attacker and what can the attacker do? And the attacker might be an insider attacker, actually kind of, maybe Alex is the insider attacker with his magic cards, he inserts them, and the ballots are changed before they're actually being submitted. That's a true problem. And when I did forensic analysis, all of the binaries that I actually, the code that is in the system, there are hash files that look actually, yeah, that's a known file that looks the way it should look and so on and so forth. It checks those kind of things as well. But it could be that if you only have a system where somebody installed malware on it, it changes the votes exactly how Alex's machine just did it, and then submits the wrong results, how will you ever figure out? And the problem really is not just that the results are correct or not. The problem really is the trust and the confidence in that the result is correct. And we can talk about as much technology in the election as we want. There will be always a way to kind of attack it. And that is not confidence building. And so the paper thing actually kind of shorts cut this entire discussion and make sure that you have an independent verification of whatever went into the process, namely the ballots and whatever came out of the process, actually are in correspondence. So the, that's exactly what this risk limiting audit is doing. Because when you are drawing a random set, so in the, it's the final marshal again. Okay, so basically in this example, right, you have counted up all of the ballots and you come up as a result. Now you wanna know if the result's correct. So the only way how this result could not be correct is if somebody has tampered with 133,000 ballots in the ballot boxes. And so now you're looking for statistical evidence that those ballots have been tampered with. And so the way how you do it is you kind of set a level of confidence and we have set the level of confidence to 5%. So that means we are 95% sure that it's correct after we have looked at 142 ballots. It's a very, very small number. But this is exactly how you check the aggregation. The aggregation you kind of check by looking at the margin that would make a difference. And then you kind of look for evidence in the paper trail that something went wrong, either when you computed the result or somebody actually kind of tampered with the paper trail itself. That's it, yeah. Any other questions? Okay. Thank you. Thank you.